Potential Persistence Via COM Search Order Hijacking

 1title: Potential Persistence Via COM Search Order Hijacking
 2id: a0ff33d8-79e4-4cef-b4f3-9dc4133ccd12
 3status: experimental
 4description: Detects potential COM object hijacking leveraging the COM Search Order
 5references:
 6    - https://www.cyberbit.com/blog/endpoint-security/com-hijacking-windows-overlooked-security-vulnerability/
 7author: Maxime Thiebaut (@0xThiebaut), oscd.community, Cédric Hien
 8date: 2020/04/14
 9modified: 2023/09/28
10tags:
11    - attack.persistence
12    - attack.t1546.015
13logsource:
14    category: registry_set
15    product: windows
16detection:
17    selection: # Detect new COM servers in the user hive
18        TargetObject|contains: '\CLSID\'
19        TargetObject|endswith: '\InprocServer32\(Default)'
20    filter_main_generic:
21        Details|contains: # Exclude privileged directories and observed FPs
22            - '%%systemroot%%\system32\'
23            - '%%systemroot%%\SysWow64\'
24    filter_main_onedrive:
25        Details|contains:
26            # Related To OneDrive
27            - '\AppData\Local\Microsoft\OneDrive\'
28            - '\FileCoAuthLib64.dll'
29            - '\FileSyncShell64.dll'
30            - '\FileSyncApi64.dll'
31    filter_main_health_service:
32        Image|endswith: ':\WINDOWS\system32\SecurityHealthService.exe'
33    filter_main_teams:
34        Details|contains|all:
35            - '\AppData\Local\Microsoft\TeamsMeetingAddin\'
36            - '\Microsoft.Teams.AddinLoader.dll'
37    filter_main_dropbox:
38        Details|contains|all:
39            - '\AppData\Roaming\Dropbox\'
40            - '\DropboxExt64.*.dll'
41    filter_main_trend_micro:
42        Details|endswith: 'TmopIEPlg.dll' # TrendMicro osce
43    filter_main_update:
44        Image|endswith:
45            - ':\WINDOWS\system32\wuauclt.exe'
46            - ':\WINDOWS\system32\svchost.exe'
47    filter_main_defender:
48        Image|contains:
49            - ':\ProgramData\Microsoft\Windows Defender\Platform\'
50            - ':\Program Files\Windows Defender\'
51        Image|endswith: '\MsMpEng.exe'
52    filter_main_nvidia:
53        Details|contains: '\FileRepository\nvmdi.inf'
54    filter_main_edge:
55        Image|endswith: '\MicrosoftEdgeUpdateComRegisterShell64.exe'
56    filter_main_dx:
57        Image|endswith: ':\WINDOWS\SYSTEM32\dxdiag.exe'
58    filter_main_python:
59        Details|endswith:
60            - ':\Windows\pyshellext.amd64.dll'
61            - ':\Windows\pyshellext.dll'
62    filter_main_bonjourlib:
63        Details|endswith:
64            - ':\Windows\system32\dnssdX.dll'
65            - ':\Windows\SysWOW64\dnssdX.dll'
66    filter_main_printextensionmanager:
67        Details|endswith: ':\Windows\system32\spool\drivers\x64\3\PrintConfig.dll'
68    filter_main_programfiles:
69        Details|contains:
70            - ':\Program Files\'
71            - ':\Program Files (x86)\'
72    filter_main_programdata:
73        Details|contains: ':\ProgramData\Microsoft\'
74    filter_main_gameservice:
75        Details|contains: ':\WINDOWS\system32\GamingServicesProxy.dll'
76    filter_main_poqexec:
77        Image|endswith: ':\Windows\System32\poqexec.exe'
78        Details|contains: ':\Windows\System32\Autopilot.dll'
79    filter_main_sec_health_svc:
80        Image|endswith: ':\Windows\system32\SecurityHealthService.exe'
81        Details|contains: ':\Windows\System32\SecurityHealth'
82    filter_main_inprocserver:
83        Image|endswith:
84            - ':\Windows\System32\poqexec.exe'
85            - ':\Windows\System32\regsvr32.exe'
86        TargetObject|endswith: '\InProcServer32\(Default)'
87    condition: selection and not 1 of filter_main_*
88falsepositives:
89    - Some installed utilities (i.e. OneDrive) may serve new COM objects at user-level
90level: medium